One IPsec tunnel and no ISAKMP tunnel.

Discussion in 'Cisco' started by AM, Dec 29, 2004.

  1. AM

    AM Guest

    After configuring a VPN I had a look to the PDM of our PIX and I wondered it showed me it was one
    IPsec tunnel but no ISAKMP/IKE tunnel!

    How can this happen?

    Is there anybody who can explain me this?

    Thanks,

    Alex.
     
    AM, Dec 29, 2004
    #1
    1. Advertising

  2. In article <mQEAd.344616$>, AM <> wrote:
    :After configuring a VPN I had a look to the PDM of our PIX and I wondered it showed me it was one
    :IPsec tunnel but no ISAKMP/IKE tunnel!

    :How can this happen?

    I rarely use PDM, so I am not very familar with it. It could be
    anywhere from a bug to the fact that there is no way from the
    command line to display isakmp tunnel count information.

    BTW, you have not mentioned which software version you are running
    on your new 525.

    --
    I don't know if there's destiny,
    but there's a decision! -- Wim Wenders (WoD)
     
    Walter Roberson, Dec 29, 2004
    #2
    1. Advertising

  3. AM

    AM Guest

    Walter Roberson wrote:

    > In article <mQEAd.344616$>, AM <> wrote:
    > :After configuring a VPN I had a look to the PDM of our PIX and I wondered it showed me it was one
    > :IPsec tunnel but no ISAKMP/IKE tunnel!
    >
    > :How can this happen?
    >
    > I rarely use PDM, so I am not very familar with it. It could be
    > anywhere from a bug to the fact that there is no way from the
    > command line to display isakmp tunnel count information.
    >
    > BTW, you have not mentioned which software version you are running
    > on your new 525.
    >


    6.3(4) e PDM 3.02
    Alex
     
    AM, Dec 29, 2004
    #3
  4. AM

    Rik Bain Guest

    AM wrote:
    > After configuring a VPN I had a look to the PDM of our PIX and I
    > wondered it showed me it was one IPsec tunnel but no ISAKMP/IKE tunnel!
    >
    > How can this happen?
    >
    > Is there anybody who can explain me this?
    >
    > Thanks,
    >
    > Alex.


    If the IKE tunnel times out/tears down, it will not be rebuilt until the
    IPSEC tunnel needs to rekey. For example, if you have a fuctioning
    tunnel up, you can clear the isakmp tunnel and traffic will still pass.

    Rik
     
    Rik Bain, Dec 29, 2004
    #4
  5. AM

    AM Guest

    Rik Bain wrote:

    > AM wrote:
    >


    [CUT]

    > If the IKE tunnel times out/tears down, it will not be rebuilt until the
    > IPSEC tunnel needs to rekey. For example, if you have a fuctioning
    > tunnel up, you can clear the isakmp tunnel and traffic will still pass.
    >
    > Rik


    Thanks Rik. Have you any link/document that talk about this? I thought the IPsec tunnel was needed a ISAKMP tunnel to
    work properly.It means I have not deeply understood VPN building process at all.

    Alex.
     
    AM, Dec 30, 2004
    #5
  6. AM

    Rik Bain Guest

    AM wrote:
    > Rik Bain wrote:
    >
    >> AM wrote:
    >>

    >
    > [CUT]
    >
    >> If the IKE tunnel times out/tears down, it will not be rebuilt until
    >> the IPSEC tunnel needs to rekey. For example, if you have a
    >> fuctioning tunnel up, you can clear the isakmp tunnel and traffic will
    >> still pass.
    >>
    >> Rik

    >
    >
    > Thanks Rik. Have you any link/document that talk about this? I thought
    > the IPsec tunnel was needed a ISAKMP tunnel to work properly.It means I
    > have not deeply understood VPN building process at all.
    >
    > Alex.


    Sorry, I dont have any docs that explicitly specify this behavior; it is
    just just something I have observed in practice.

    Rik Bain
     
    Rik Bain, Jan 2, 2005
    #6
  7. AM

    Alex Chauvin Guest

    > > [CUT]
    > >
    > >> If the IKE tunnel times out/tears down, it will not be rebuilt
    > >> until the IPSEC tunnel needs to rekey. For example, if you have a
    > >> fuctioning tunnel up, you can clear the isakmp tunnel and traffic
    > >> will still pass.
    > >>
    > >> Rik

    > > Thanks Rik. Have you any link/document that talk about this? I
    > > thought the IPsec tunnel was needed a ISAKMP tunnel to work
    > > properly.It means I have not deeply understood VPN building process
    > > at all.
    > > Alex.

    >
    > Sorry, I dont have any docs that explicitly specify this behavior; it
    > is just just something I have observed in practice.
    >
    > Rik Bain


    IPsec and ISAKMP are not fully correlated, IPSEC can run without
    ISAKMP, for example with pre-defined keys or home made key exchange
    protocol.

    Depending on implementation, the ISAKMP daemon monitors SPD database
    for needed entries (non existing or dying) and negociate new key and
    parameters for SPD. If the SA is not establish to negociate keys, a
    new one is started with an authentication phase. The Lifetime
    negociated will determine the duration of what you called ISAKMP
    tunnel which is not linked to the lifetime of the SPD (IPsec tunnel).

    Since SA creation can be complex (ie certification validation),
    lifetime needs to be adapted to IPSEC tunnel lifetime. For example, if
    tunnel keys are changed every 5 minutes, ISAKMP association needs
    probably to stay up, for a change every 6/12 hours, the SA can be
    renegociated without generating to much load.

    For reference:
    - IPSEC charter: http://www.ietf.org/html.charters/ipsec-charter.html
    - ISAKMP: http://www.ietf.org/rfc/rfc2407.txt

    Regards, Alex.
     
    Alex Chauvin, Jan 2, 2005
    #7
  8. AM

    kh_alex81

    Joined:
    Jul 19, 2007
    Messages:
    1
    Hi Alex,

    Thanks so much for the explanation, I had faced the same situation that the ISAKMP Secured Channel is guarenteed down, while The inbound IPsec and the outbound IPsec SA's are still up. However, I wonder if you have any site prove your explanation, I have been trying to connect to the first site but every time I get no page found , and when I opened the second one I have not found explanation for that.

    I am waiting for your reply and I really appreciate your assistance.

    Thank you very much.
     
    kh_alex81, Jul 19, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Ireland
    Replies:
    1
    Views:
    1,102
    Claude LeFort
    Nov 11, 2003
  2. a.nonny mouse
    Replies:
    2
    Views:
    1,148
  3. Joel Salminen

    Massive TTL Decrease ISAKMP-IPSEC VPN

    Joel Salminen, Jan 20, 2006, in forum: Cisco
    Replies:
    1
    Views:
    617
    Walter Roberson
    Jan 20, 2006
  4. Replies:
    0
    Views:
    534
  5. urvin
    Replies:
    0
    Views:
    868
    urvin
    Apr 15, 2008
Loading...

Share This Page